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Description 

Cross-Reference to Related Applications 

pool] This application claims priori* * 
co-oending application having U.S. Serial no. 
SnSii ^February 12. 1999 co- 
pending application having U.S. Sena. No. 60/144,927 
filed July 21, 1999. 

Field of the Invention: 

r00021 The present invention relates generally to 
Se fil d of bankLd transactions and more particular* 
to a method and system for securely performing , a b£ 
card transaction utilizing an anonymous or alternate 
card number. 

Background of the Invention 



[0003] Transaction card transactions that occur 
'over L Internet today utilizing * 
infrastructure are most commonly performed for exam 

referred to as the man-in-the-m.ddle attack. The Ink is 
anc^pted so that no eavesdropper can l.ster ,, and 
JeaTthe card number. However, this method has a 
number of disadvantages. 

ioofl For example, the cardholder must trust _fne 
merchant with safeguarding the card number. ^Th.s 
Tea es the cardholder vulnerable to a risk of fraud by a 

but who is nevertheless negligent in maintain ng the 
^ lant's web site against break-ins. This ,,sk is gj at 
enough to discourage customers from giving their card 
numbers to merchant web sites over the Internet whom 
™ey do not know or with whom they have no previous 

tO X 0 P oT Ce The particular risk is limited with credit cards 
nd°debi. cards'by consumer ^o^sj^ 
elation rules to a maximum exposure, such as $50 limn. 
Fu Ser the cardholder has an opportunity, for example 

deducted from the— de * "ZtToT^l 

ctiii a nu sance and a nsK, ana m me w 

™d and card number. The risk is greater with deb t 
caSs bemuse the limitation of liability is not as dear 
h rharae is deducted from the cardholder's 
acco n b ore he or she is informed. Thus, with adebK 
carTthe cardholder is placed in the posifon of having 



,o dispute the deduction in order to regain his or her sto- 

len funds. . t 

[00061 Another disadvantage, for example, is that 
when a merchant accepts a card number from a cus 
5 ler over the Internet, the merchant 

authenticating that the customer ma tang *• J^JJ " 
the actual cardholder. The transaction is treated as a 
Mai, olrATelephone Order (MOTO) transactor, ateo 
known as a "card not present" transaction In such a 
« fransacfion the merchant's transaction cost and expo- 
Lre fs much greater than when a customer is physicaHy 
£ ntatthe point-of-sale. If the c-^"^* 
disputes having made the transaction, the merchant 
payment is reversed by the card issuer 
« 100071 These disadvantages provide mcent.ves for 
SL approach to security for bankcard transactions 
from Te standpoint of both cardholders and merchan s, 
oroviSed iHs Li, simple and inexpensive. Many so.u- 
i n hav been proposed to address this need, most 
tat*, th* Credit Card Association's standard specifi- 
20 Zt^S^oLc Transaction (SET) protocol. A 
SS'mSh solutions such as SET is that they unpose 
a sSi cost and performance penalty, requ.rmg 
bo m Soiders and merchants to instaH spec*, soft- 
25 ware and/or hardware that add significantly to transac 
tion costs, in terms of both money and time. 



Summary of the Invention 

«. tOOOSl It is a feature and advantage of the present 
Eon to provide method and system for secure* 
per ming a bankcard transaction which affords a of 
h 6 e acc unt number of security of the SET protocol a 
well as the ability to authenticate the customer, wh. e 
ss Si the simplicity of sending a transact™ card 
number over an encrypted link, such as SSL. 
0009 t is another feature and advantage of the 
present invention to provide a method and system for 
surety performing a bankcard transaction which el.m- 
40 nates iansmitting the customer's actual card number 
Ter the Internet to the merchant and likew,se el.mi- 
Tateste need for a secure link between the customer 

S..T ^further feature and advantage of the 
45 present invention to provide a method and system for 
securely performing a bankcard transaction such as a 
credTca* or debU card transaction, that is fast and 
Jasy implement and that requires little, if any, mod.fi- 
cation to the existing Internet infrastructure. 
so raOIH To achieve the stated and other features 
advantages and objects, an embodiment of the present 
invention provides a method and system for secure y 
Siting an bankcard transaction in which a transac- 
KoTcaTd user receives an alternate or anonymous card 
« number atts not the user's actual card number but tatis 
55 • nei for example, to P~-*— 

made by a merchant or the merchants bank^The alter 
Tate or anonymous card number can be used only once 
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within a limited time period and cannot be cop ed and 
replayed Upon receipt of the anonymous or alternate 
cXmbe? by the transaction card issuer, the anony- 
mous number can be associated by the card issue 
Me proper cardholder and the cardholders account 
can be authorized. 

,0012] in an embodiment of the present inventon 
he transaction card user authenticates himself or her- 
S. for examp.e, to an authenticate of 
card issuer's server. The transact.cn card use can 
TuthenLte himself or herself, for example, by entering 

such as a personal computer, a personal digital assist 
anJ or a smart card, coupled to the card issuer's server 
over a network, such as the Internet. 
W 31 m addition, in an embodiment of the present 
nventon. an electronic wallet application of the comput- 
IJU. can be utilized by the transaction card use 
for sending the transaction card user ,nformat.on to the 
Snsaction card issued server for user authe— • 
The transaction card user information includes for 
IxampTe one or more of a persona, ident, cation 
number, a password, a biometric sample, a digita s 9; 
nature or the transaction card number for the : transac 
ton card user, and the transaction card user .nformation 

S,S "^alternative aspect for an embodiment 
of the present invention, the transaction card user 
authenticates himself or herself with the transacts 
" 5 user information at a local computing dev.ce such 
Z a personal computer, a persona, digital assistant or 
a smart card of the transaction card user. In this aspec , 
theTansaction card user authenticates himself or her- 
Sf on an application of the transaction card user's local 
computing device, such as an electronic wa. e appl.ca- 
?,on * entering the transaction card user information 
on the application at the local computing dev.ce. 
WIS] in an embodiment of the present , nventon 
Ihen the transaction card user is authentoa ted * £ 
transaction card issuer, a number generator of the 
faction card issued server generates an anony- 
mous card number for the transaction card user. How- 
Zr iMhe alternative aspect in which the transacton 
cart user authenticates himself or herse.f on an app -ca- 
ton of the transaction card user's local computog 
device, the anonymous card number is likewise gener- 
ated at the local computing dev.ce, for example by a 
number generating application of the local computog 
dele which is synchronized with the number generator 
of the transaction card issuer's server 
[0016] The anonymous card number for an embod- 
iment of the present invention is generated accor ,n S to 
a number generating scheme, such as a random 
number generating algorithm, a T*""^^ 
erator, and/or a secure-hashing algorithm. Further, the 
anonymous card number is generated according ,t pre- 
defined parameters limiting its use to the particular 
transaction and/or for a predetermined time period. 



100171 In an embodiment of the present invention, 
he anonymous card number generated by the transac- 
ton Z I issuer is associated with a transaction card 
number of the transaction card user, for example by 
, nktg the anonymous card number with the transacton 
5 ^number by either or both of the number generator 
I authorization processor of the transacton card 
issuer's server. , 
[00181 However, in the alternative aspect .n which 
anonymous card number is generated at the trans- 
action card user's local computing dev.ce, the anony- 
mous *rd number is linked with the transacton card 
number according to a pre-defined sequence j»n*£ 
nization between the number generator of th ocal 
,5 computing device and the transacton card .ssue^s 

iS in an embodiment of the present invention, 
L aionymous or alternate card number is used -n a 
transaction by the transaction card user .n p lace of the 
20 transaction card user's transacton card number. For 
Smp e, the transaction card user sends the anony- 
mous cad numberto the merchant, which .n turn sends 
tt to the merchant bank with a request for author^ 
The merchant's bank sends the anonymous card 
25 number over the card association network to the trans 
actTon card issuer. The transaction card .ssuer-s author- 
StonTrocessor receives the anonymous card numbe 
"ked with the transaction card r^"*"^ 
authorization back to the merchant via the card assoc. 
so ation network and the merchant's bank. 

[002O] inanotherembodimentofthepresentrnven- 
ion tie anonymous or alternate card number is used in 
a transaction by the transaction card .ssuer after 
uSSing the user. For examp.e, the transaction 
35 ca rd user authenticates himself to the 

the issuing bank sends the anonymous card number 
directly to the merchant which, in turn, sends .t to the 
merchant's bank with a request for authonzat.on 
^0021] in another embodiment of the present .nven- 
40 ion the transaction card user authenticates himself to 
he t ansaction card issuer, and the transacton card 
su r sends the anonymous card number afong wrth 
an authorization, directly to the merchant w^.n tura 
sends both the anonymous card number and the 
45 SSion to the merchant's bank for 

Processing. The transaction card user uses the actua 
faction card number and the alternate card number 
for 2 and communicating to its transaction card 
user and the alternate card number and author.zat.on 
so number segment with the merchant bank and card 

Sr 9 Sn k , object, advantages and novel 
Lures of the invention will be set forth .n part in the 
de ption which follows, and in part will become ^more 
« aooarent to those skilled in the art upon exam.na ion of 
55 Swing or may be learned by practice of the mven- 
tion. 
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Brief Description of the Drawings 



[00231 



Fia 1 is a schematic diagram which 
overview of exampies of key components and the 
^formation between the key component fo 

anonymous or alternate card number ,s sent to a 
caSder by a card issuer for use in an on-i.ne 
bankcard transaction; , 
Fta2 is aflow chart which illustrates an example of 
Z'orocess of the cardholder performing a bank- 

the card issuer for an embod.ment of the present 

overview of examples of key components an I the 
Sow of information between the key ^P 0 "^ 
an embodiment of the present invention ,n which an 
anonymous or alternate card number is generated 
STirthoWert computing device for use .n an 
on-line bankcard transaction; 
Sg 4 is a flow chart which illustrates an example £ 
the process of the cardholder Performing a bank 
Ld transaction using the anonymous or atterna J 
card number which was generated at the card 
S^mputingdevicefor an embodiment ofthe 

^SsTsSmatic diagram which illustrates an 
overview of examples of key components and I the 
Sf of information between the key 
an embodiment ofthe present invention in which an 
anonTmous or alternate card number is generated 
a ooint of sale for the cardholder; and 
Fin 6 is a diagram which illustrates a sample of a 
[ near Feedback Shift Register used to generate 
anonymous or alternate card numbers for an 
embodiment of the present invention. 



Detailed Description of the Invention 
rnMAi Referring now in detail to an embodiment of 

which an anonymous card ^ " "^iSd 
merchant's website server 12, and a cara 



server 14 each coupled over a network, such as the 
f L IB as well as a merchant (acqu.rmg) bank 
e'er coup-edt the merchant server 12 and also 

E SOr in an embodiment of the present invention 
u ,ihnLr 2 receives an alternate card number 

rSo^cSSJa and^e cardholder's account 
^^taflow chart w*ich illustrates an 

r0027] Referring further to Pig. A'"* 12 
of the Uent invention, at 86. the 

r 2 VreceLeI\nTre q uest for authorfcation, links the 
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server 18 over the card association network 20 At S8 
Z Z chant (acquiring) bank's server 1 8 receives the 
th„ri 7a tion and sends it to the merchant's server 12. 

tion and completes the transaction w,th the user 2. 
rntuai Referring again to Fig. 2, in an embodiment 
St Ue^ tvention , the cardho.der 2 authenticates 

with the cardholders issuing bank 8 at S2, ut,l.z.ng, tor 
example an electronic wallet 28 as shown .n Fig. 1. 
Sn the cardholder 2 is authenticated, he or she 
recess the anonymous card number over the same 
ine at S3 Alternatively, at S3, the cardholder 2 can 
Tave the anonymous card number sent by the card 
Jsuer 8 directly to the merchant 4, in which case, rt ,s 
'nX issary lr the cardho.der 2 to send the anony- 
mous card number to the merchant 4 at S4. 
S] R^rring once more to Fig. 2, in an embodi- 
ment of the present invention, the cardholder 2 authen- 
Ss himself or herself to the cardholder's .ssu.ng 
STe b^ing ^ his or her card number and a secre 
Vm or password or hash of a PIN or password a the 
u er-s imputing device 10 anc Isending ,* over an 
encrypted link to the issuing bank 8 at S2^ The 
Sed link ensures that -WPJJ-MJ 
drop and steal the card number and PIN. The card 
holder 2 can feel secure that the card number, PIN or 
password or hashed PIN or password are safe w.th the 
Sbank 8, as the issuing bank 8 already knows and 
safeguards this information. Because the cardholder 2 
auScites himself or herself with a PIN 
me issuing bank 8 can authenticate the cardholder 2 to 
me merchant 12. If the transaction or the customers 
SstoTy warrants, the issuing bank 8 can require more 
s ture authentication, such as addi ona secrets, 
matching biometrics, and/or digital signatures. 
SS] inanaltemativeaspectofanembodimentof 
he present invention, the issuing bank 8 can msta soft- 
ware on L cardholder's PC or information appliance 
To such as a smart card or personal digital assistant 
Polype computing device, that can generate the 
anonymous card number after the cardholder 2 ,den 
^himself or herself to the ^^ra^ 
10 Fia 3 is a schematic diagram which illustrates an 

information between the key components fo an al ter 
nTaspect of an embodiment of the P*«*r"£ 
in which an anonymous card number is ^^f.^^^^g^j^ 
cardholder's computing device 10 in an on-l ne transac 
ton. in this aspect, the card issuer 8 can 
30 on the cardholder's computing device 10 wh.ch , can 
be a personal computer (PC) or hardware token such 
as a smartcard, that generates the anonymous .card 
number locally upon authentication of he cardholder 2^ 
roo31l Fig. 4 is a flow chart which illustrates an 
ixamL of the process of the user 2 performing a bank- 
oaT ansaction for an embodiment of the present 
Zl ion in which the anonymous card number ,s gen- 



erated at the cardholder's computing device 10. Refer- 
SSto Fig 4, at S10 , the merchant server 12 sends a 
Zest for a transaction card number over the Internet 
16 to the cardholder 2 at the cardholder's computing 

at the cardholder's computing device 10, and the 
number grating software 30 at the cardholder's com- 

number to the merchants server 12. A 812 the mer 
chart's server 12 receives the alternate card number 
10 S sends a request for ^^^^^ 
card number to the merchant (acqu.nng) banks server 

!o0321 Referring furtherto Fig. 4, in an embodiment 
« S the present invention, at S13. the merchant (acqu^- 
15 J) ban" server 18 receives the request and ser , s 
tie request over the card association network 20 to the 
Sd issued server 14. At S14 the <^r»~"£ 
nate card number generator 24 * B J£J£* 
20 Generates the next number in sequence synchromzed 
S TZ I dholder-s software 30. links the alternate <* d 
numoeTto the cardholder's actual card number, and 
1ST*, cardholder's actual card number o J. - 
issuer's authorization processor 26. At S15. the cam 
25 issuers authorization processor 26 rece.ves the card- 

completes the transaction with the user ,2. 
S] m another aspect of an embodiment of the 
present invention, the card issuer 8, such as a bank 
35 Ses an electronic wallet system, mc.ud.ng for 
eTrnpl , an electronic wa.let server. In this aspecUhe 
SuTng bank 8 matches the anonymous card number 
S the actual user account. If the electronic wane gen- 
Tates an anonymous card numberforthe cardholder 2 
40 for which the wallet server is not the issuing bank, then 
me anonymous card number is sent back to the wallet 
Terver fo matching the anonymous card number w h 
me actual user card number and for sending t to he 
ssufnq bank 8 for authorization. In this situation the 
« SS* Pallet, in effect, performs an acquinng bank 

SSf" Another aspect of an embodiment of the 
Testnt invention enables the cardholder 2 to perform a 
Lsaction. such as a purchase, at a jjj-^j 
so sale without revealing the cardholders true card 
numbe?Fig 5 is a schematic diagram wh.ch illustrates 
an example of key components and me flow of mforma 
^ between the'key components for an aspec a 
embodiment of the present invention in which .alter 

pfoTa caTd 32 with no embossed number but with an 
SpufdLe 34, such as a keypad, a display 36, such as 
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*» WO** »" * SL moL » **«» 

2 performing a point-of-sale p an*ca 
embodiment of the present invention the use 2 
a password onto the input device * su h as ^ 
pad, or alternatively the user 2 enters £ b.ome . 
as a fingerprint, onto the ^™^™^ort 
metric input device. Upon ^^Te anonymous 

assays 

is dipped in the card dev^e 42 Jean pro ^ 
number of the cardholder bu tl* d, P y ^ ^ 
anonymous number In th ' s ™° n ' , card num ber. 
chant cannot read the cardhold * be for a 

one-time use, in case the numo )n 
tne point of sale, but it ™™«*«^ZL* obtain 

bank 6, ™* number a,S ° haS 

proper position. The anon y m °" . tn transa ction is 

senttothecon-ectissu ng banka or g 
authorization approval. When tt» « u.ng^ 
receives the number and J* 8 *^ a spe - 

zation, rt sends the anonymous , ^ 
oial front-end processor 24 Jheprace ssor 2 

M^^-J^TSK, module co- 



i, a match ^, ired . „ „ 

mmb e, -ch« « EES, 1 ^ w as 

the transaction is rejected, ihe ^n° g 

and request a new anonymous _card nu 
domly selected anonymous card numbe ^ 
for one validation, and a "^S^ MtlB ned 
wi „ not be assigned unt.l T^, first . 

20 number is either used or snow the 

Any receipts provided to the customer 2m 

action. The T^^^t^ numbers and 

25 £t-n^«^*£^,^ and 
?0040] in the ^f^T^ "ion, the 

anonymous or atematec^ The jssuing 

30 not the cardholders actual <*> cardholder's 
hank 8 associates the ^^S**** 

T tn IT aTrs tot S The anonymous 
duraton, such as lb bstjtuting new anony- 

tions of the cardholders number 

I0Q41] There are • "^J^hJ* *. 

card numbers are generated for an «r > 

present invention. The W™^*^ number 
«, numbersinvolves.for^ 

generation scheme with the addrt onal r q ^ 

the same number cannot be yal.d for m 

2£| 2 ' The assigned anonymous or alternate card 
[0042] The ^'9™ ' t invent ion can 

number for an embod^ent c he P e s ^ 
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number assigned by the card issuing .nstrtut.on 8 for 
purposes of identifying an individual account. The 
check digit is the checksum calculated from the rest of 
the number. 

r00431 Most commonly issued credit card numbers 
comprise 16 digits. For example, a valid cred.t card 
number for a financial institution, such as .ssuing bank 
8 can be AAAAAA XXXXXXXXX C, where AAAAAA 
represents the BIN and is fixed. XXXXXXXXX are n.ne 
arbitrarily assigned digits, and C represents the check- 
sum and is calculated from the other dig.ts. Thus the 
card issuer 8 can arbitrarily set 9 or 1 1 of the 16 digits to 
any number for the one-time use, adjust the checksum 
to its new correct value, and the card number w.ll check 
out as valid by the validation systems of the merchant 4 
and the merchant's bank 6. A bank desiring to use this 
scheme must obtain a new BIN to be used exclusively 
for Internet transactions. This eliminates the need of 
preventing the issuance of a one-time use number that 
is duplicative of existing or hot-carded numbers. 
[00441 Alternatively, in an embodiment of the 
present invention, the bank, such as issuing bank 8, can 
use an existing BIN by reserving one or more special 
digits in one or more specially designated posrtions to 
identify the card number as an anonymous card 
number, such as AAAAAA S XXXXXXXXX C, where S 
is the special symbol in designated posit.on number 
seven. If there are already existing real card numbers 
with symbol S in position number 7, it is not possible to 
use these numbers as anonymous card numbers, and 
they must be rejected as valid anonymous card num- 
bers by the anonymous number generator. In such 
case the bank has only 8 or 10 digits available to ass.gn 
an anonymous card number. Longer numbers can be 
generated if the card association standards are mod.- 
Ld to allow longer bit streams, or if the part,c.pat.ng 
financial institutions agree to accept these longer bit 

SsT m an embodiment of the present invention, 
the assigned one-time use anonymous card number 
passes validation by the merchant 4 and merchants 
bank 6 because it has all the required digits in i the 
proper position. It is passed to the correct issuing bank 
8 because the BIN is correct. The anonymous card 
number is correctly associated with the cardholders 
actual card number by the cardholder's issu.ng bank 8, 
as long as it has not passed the expiration period The 
cardholder's issuing bank 8 substitutes the cardholder's 
actual card number for the anonymous card number 
and passes the number along for normal authorization 
[00461 In an embodiment of the present invention, if 
!he transaction is rejected because the anonymous card 
number does not pass the match test, the cardholder 2 
must go to the web site of the cardholder's issu.ng bank 
8 and request a new number. The assigned anonymous 
card number is good for only one validation. A new 
anonymous number will not be assigned unt,l the first 
number is either used or expires. Any response back to 



the merchant 4 includes the anonymous card number. 
[00471 In one aspect of an embodiment of the 
present invention, the anonymous or alternate card 
number is generated at the issuing bank server 14 and 
5 transmitted either directly to the merchant 4 or to the 
cardholder's PC or token 10 for relay to the merchant 4 
However, in an alternate aspect of and embodiment of 
the present invention, the anonymous card number is 
generated locally at the cardholders PC or hardware 
,o device 10, such as a smart card, personal d.grtal ass.st- 
ant (PDA) type device, or Security Dynam.cs type c*ro. 
The local/client software 30 can be downloaded from 
the issuing bank server 8 or installed. 
[00481 In an embodiment of the present .nvention, if 
is the customer 2 or the customer's electronic wallet 28 is 
asked to re-present the alternate card number .n case 
for example, its transmission to the merchant 4 was not 
received or was received garbled, the alternate card 
number is resent unless it has already exp.red. If .t has 
20 expired, a new alternate card number is generated and 
sent If the authorization was completed the first t.me 
the alternate card number was presented, then it can be 
recognized as a duplicate charge by the merchant 4 .f 
the alternate card number is the same, s.nce there are 
2 s two charges for the same amount with the same alter- 
nate card number. If the merchant 4 is sent a new alter- 
nate card number, then the customer 2 and h.s or her 
issuing bank 8 will recognize it, because the customers 
credit card statement will reflect a double charge 
30 against the customer's actual card number, which was 
correctly substituted forthe alternate card numbers both 

[00491 In an embodiment of the present invention, if 
ihe merchant 4 receives the alternate card number but 
35 is asked by the merchant bank 6 to re-present, or .f the 
merchant bank 6 is asked by the credit card network 20 
to re-present, then the original alternate card number is 
re -presented, whether or not the alternate card number 
has already expired. If the alternate card number has 
40 expired, the transaction will not be approved and the 
customer 2 or the customer's electronic wallet 28 is 
requested to send a new alternate card number, which 
it will do. If the alternate card number has exp.red or 
timed-out by the time it reaches the issuing bank 8 for 
45 authorization approval, the authorization .s denied and 
the customer 2 or the customer's electrons wallet 28 

must resubmit. ., 
[00501 In an embodiment of the present invention, if 
the card network 20 stands-in because the authonza- 
so tion by the issuing bank 8 takes too long, then the issu- 
ing bank 8 treats the charge as valid, just as it would .n 
any other stand-in situation. The issuing bank 8 knows 
the actual card number with which the charge is .associ- 
ated because the issuing bank 8 can match the alter- 
55 nate'card number with the actual card number. 

[00511 In an embodiment of the present invention, 
in order to handle any disputes, the issuing bank 8 
maintains a log for each transaction of the merchant 4, 
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with the amount, the alternate card number and the 
actual card number. The merchant 4 can trace the mer- 
chant's sale to the alternate card number, and the cus- 
tomer 2 can trace his or her purchase via the customer's 
actual card number. The issuing bank 8 can associate 
or match the two because it has a record of the alter- 
nate card number that is associated with the actual card 
number for the transaction. If the alternate card number 
is used for two transactions, the issuing bank 8 can spot 
that situation as well. In fact, if there is an attempt to use 
the same alternate card number twice for two different 
charges, the issuing bank 8 will deny the second 
attempt. 

[0052] In an embodiment of the present invention, 
anonymous card numbers can be generated in several 
different ways. For example, the anonymous card 
number sequences can either be continuously gener- 
ated at fixed time intervals or at each new request 
event This can be achieved a number of ways, such as 
Security Dynamics algorithm, a random sequence gen- 
erator and a secure-hashing algorithm. If the issuing 
bank/such as card issuer 8, that assigns the anony- 
mous card sequence is the same bank that validates it, 
there is no need to synchronize clocks. 
[0053] In an embodiment of the present invention, if 
a number is generated that has already been ass.gned 
and has not yet expired, it will not be assigned, but a 
new number will be generated. The shorter the expira- 
tion period, and the more digits in the assigned number 
sequence, the less likelihood there is that such a conflict 
will occur. The anonymous number generator algorithm 
is designed to only issue new numbers that do not con- 
flict with already issued and non-expired anonymous 
numbers or already assigned actual card numbers. This 
means it is designed to prevent the generation of a con- 
flict or is capable of generating a new number within 
acceptable delays, not exceeding, for example, a couple 
of seconds, when a conflict does arise. 
[0054] Alternatively, in an embodiment of the 
present invention, the issuing bank can run a number of 
anonymous number generators in parallel, so tat i one 
such generator generates a duplicate, a non-duplicate 
number can be obtained from one of the other number 
generators, or a batch of alternative numbers can be 
generated in advance from which the next alternative 
number can be selected. In an embodiment of the 
present invention, a single common number generator 
can be employed to service all cardholder's requests, or 
a different number generator can be dedicated to each 
active cardholder or to some subset of the total card- 
holder population. . 
[0055] In an embodiment of the present invention, 
the expiration interval is not so short that it expires 
before the cardholder 2 has time to send the sequence 
to the merchant 4 and have it processed and relayed 
through the merchant bank 6 back to the issuing bank 8. 
For this purpose, the expiration interval is at least, for 
example, about 15 minutes, but the expiration interval is 



adjustable to fit the application and situation. If a new 
card number sequence is assigned every second, 900 
sequences must be generated every 15 minutes, and a 
typical sequence is 9 to 1 1 digits long. A 9-digit number 
5 generator is designed to produce 1 billion, or 10 to the 
ninth power, of non^iuplicate sequences before . 
repeats, ensuring that it will not produce a repeat 
sequence within a 15 minute interval during winch 900 
sequences are generated. 
io [0056] An embodiment of the present invention 
makes use of any of a number of alternate card number 
generating algorithms. For example, Linear Congruen- 
tial Generators are pseudo random sequence genera- 
tors of the form: 

Xn = (aXnl +b) mod m 



Where Xn = nth number of the sequence, Xn1- previ- 
ous number of the sequence, a. b and m are constants 
2 o where a is called the multiplier, b is called the increment 
and m is called the modulus. When a, b, and m are 
properly chosen, they can produce a pseudo-random 
sequence of maximal length, period m before they 
repeat themselves. Linear Congruential Generators are 
25 fast algorithms, but the output of a Linear Congruential 
Generator is not cryptographically secure. In other 
words, a cryptographer can. in a practical period of time, 
determine the next number of the sequence from exam- 
ining past numbers in the sequence. Thus this algorithm 
30 can be vulnerable to attack. 

[0057] However, with this algorithm for an embodi- 
ment of the present invention, an eavesdropper cannot 
obtain past numbers in the sequence when they are 
sent over encrypted lines. In that case, it would be nec- 
35 essary for the eavesdropper to collect the numbers at a 
merchant server, and these numbers may not be in 
sequential order at the particular merchant, since shop- 
pers frequent a number of merchants in relatively ran- 
dom order. The cardholder can be prevented from 
40 collecting a sequence of alternate card numbers by 
selecting the alternate card number from a collection of 
alternate number generators used to supply numbers ; to 
multiple cardholders. This decreases the likelihood that 
a single eavesdropper can capture a sufficiently long 
45 sequence of anonymous numbers from a single anony- 
mous number generator to enable reverse engineering. 
[0058] Linear Feedback Shift Registers can also be 
used to produce pseudo-random sequences of num- 
bers for an embodiment of the present invention, and 
so can be designed to be maximal length. Fig. 6 is a di- 
gram which illustrates a sample Linear Feedback Sh.ft 
Register for generating anonymous or alternate card 
numbers for an embodiment of the present invention 
The Linear Feedback Shift Register is only one such 
55 method for generating a random number. Alternatively, 
a random number could be used as a seed to a crypto- 
graphic hash algorithim or digital signature algor.tr.im 
for any of the other methods discussed below. Linear 
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Feedback Shift Registers are also fast and also not 
cryptographically secure, but they can be combined to 
produce sequences that, although they cannot be 
proven to be cryptographically secure, are not known to 
have been broken. Examples include the "Bilateral Stop 
and Go Generator*' and the "N Threshold Generator". 
[0059] Another approach for an embodiment of the 
present invention employs a symmetric cryptographic 
algorithm known to be secure, such as RC4 by RSA 
Data Security, which requires more processing power. If 
the issuing bank server generates and matches the 
sequence, it is not necessary for the key to be shared or 
distributed. There is a certain degree of risk even when 
using cryptographic algorithms that are known to be 
secure. Over time, as computers grow in power, previ- 
ously secure cryptographic algorithms can succumb to 
practical attacks. For example, 40-bit Data Encryption 
Standard (DES) is no longer considered secure against 
attacks, as today's affordable computers have been 
shown to have sufficient power to break this algorithm 
within reasonable timeframes in a matter of hours. 
[0060] Another approach to generating anonymous 
or alternate card numbers for an embodiment of the 
present invention is to pick numbers in a sequence from 
tables of known truly random numbers, such as RAND 
tables. The actual selection of numbers from this table 
can be randomized using one of a number of tech- 
niques such as the ones described above. Alternatively, 
a random sequence can be generated from some actual 
random physical process, such as measuring keyboard 
latency, or electrical noise out of an electronic device. 
[0061] In an embodiment of the present invention, 
pseudo-random numbers sequences can be made still 
further cryptographically secure by combining tech- 
niques, such as Linear Feedback Shift Register or sym- 
metric algorithms to select numbers from a random 
number table, which are then cryptographically hashed 
with an algorithm such as Secure Hash Algorithm 
(SHA). 

[0062] An aspect of an embodiment of the present 
invention also provides a general means of an agent 
authentication. For example, a user can authenticate 
himself or herself to the user's agent and receive an 
authenticating number. The authenticating number 
serves, for example, as a kind of one-time authentica- 
tion token that is issued to the user and can be used to 
enable the user to authenticate himself or herself to any 
other service, without the need for additional passwords 
or secrets. 

[0063] In another aspect of an embodiment ot trie 
present invention, since the alternate card number is 
generated on a per transaction basis, it can be used by 
the card processor, such as card issuer 8, to keep track 
of where (over what channel) and to whom (what mer- 
chant number was used). For example, if the request for 
an alternate number was requested at a wallet, such as 
the user's electronic wallet 28, over the Internet to be 
supplied to an Internet merchant, such as merchant 4, 



then the issuing bank 8 can identify and keep track of 
which purchases were made over the Internet and with 
which merchants. This information can be used for both 
fraud management and control purposes and for mar- 
5 keting purposes, such as special merchant promotions 
or promotions to customers for purchases made over 
the Internet. Similarly, it can be used to keep track of 
purchases made over the telephone and the like. 
[0064] In another aspect of an embodiment of the 
w present invention, when a server-based wallet, such as 
the user's electronic wallet 28, is used, it is technically 
possible for the wallet 28 to receive the merchant pay- 
ment request form and not only to generate the alter- 
nate number, but also to pre-approve the purchase and 
15 to provide the merchant 4 with an alternate card number 
and an authorization code simultaneously. Although 
technically possible, it would be necessary to have such 
a process approved by the card association. However, if 
permitted, such a process has several advantages. 
20 From the merchant's perspective, for example, it saves 
the merchant the time required to make an authoriza- 
tion. Time is critical for transactions made over the Inter- 
net. 

[0065] In an effort to make the shopping experience 
25 fast and convenient for users, many merchants actually 
take the credit card number and do not even attempt to 
obtain a credit authorization in real-time. Rather, they 
batch the transactions up and obtain authorizations 
after the fact. In that case, a merchant may find after the 
30 fact that the authorization was declined, and it becomes 
necessary for the merchant to get back in touch with a 
consumer. In the case of digital goods, knowledge of the 
denial may likely occur after the digital goods and serv- 
ices are already been distributed. 
35 [0066] in the aspect in which the server-based wal- 
let 28 also pre-approves the purchase and provides the 
merchant 4 with an alternate card number and authori- 
zation code simultaneously, in the bank's case, this 
authorization flow eliminates the risk of stand-in, in 
40 which the issuing bank, such as card issuer 8, is unable 
to get back fast enough, and the card association 
stands-in for the issuing bank 8 and automatically 
approves the transaction, with the issuing bank 8 still 
assuming the risk of collection. 
45 [0067] Various preferred embodiments of the inven- 
tion have been described in fulfillment of the various 
objects of the invention. It should be recognized that 
these embodiments are merely illustrative of the princi- 
ples of the present invention. Numerous modifications 
so and adaptations thereof will be readily apparent to those 
skilled in the art without departing from the spirit and 
scope of the present invention. Accordingly, the inven- 
tion is only limited by the following claims. 
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A method for performing a transaction by a transac- 
tion card user, comprising: 
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authenticating the transaction card user; 
generating an anonymous card number for the 
transaction card user; 

associating the anonymous card number with a 
transaction card number of the transaction card 
user; and 

authorizing the transaction with the anonymous 
card number for the transaction card user. 

The method of claim 1, wherein authenticating the 
transaction card user further comprises authenti- 
cating the transaction card user by a transaction 
card issuer. 

The method of claim 2, wherein authenticating the 
transaction card user further comprises authenti- 
cating the transaction card user by a server of the 
transaction card issuer. 

The method of claim 2, wherein authenticating the 
transaction card user further comprises receiving 
transaction card user information by the transaction 
card issuer. 

The method of claim 4, wherein receiving the trans- 
action card user information further comprises 
receiving the information from the transaction card 
user. 

i The method of claim 5, wherein receiving the trans- 
action card user information further comprises 
receiving the information at a computing device 
coupled to a server of the transaction card issuer. 

7 The method of claim 6, wherein receiving the trans- 
action card user information further comprises 
receiving the information by the transaction card 
issuer's server in encrypted form. 

8 The method of claim 6, wherein receiving the trans- 
action card user information further comprises 
receiving the information at the computing device 
coupled over a global network to the transaction 
card issuer's server. 

9. The method of claim 6, wherein the computing 
device further comprises a personal computer. 

10 The method of claim 9, wherein the computing 
' device further comprises an electronic wallet appli- 
cation of the personal computer. 

11. The method of claim 6, wherein receiving the trans- 
action card user information further comprises 
receiving at least one of a personal identification 
number, a password, a biometric sample, a digital 
signature, and a transaction card number for the 
transaction card user. 



12 The method of claim 1, wherein authenticating the 
' transaction card user further comprises authenti- 
cating the transaction card user at a local comput- 
ing device. 

13. The method of claim 12, wherein the local comput- 
' ing device further comprises one of a personal 

computer, a personal digital assistant, and a smart 
card. 

14. The method of claim 12, wherein authenticating the 
' transaction card user further comprises authenti- 
cating the transaction card user by an application 
on the local computing device. 

15. The method of claim 14, wherein the application of 
the local computing device further comprises an 
electronic wallet application. 

16 The method of claim 1 2, wherein authenticating the 
transaction card user further comprises receiving 
transaction card user information by an application 
on the local computing device. 

17 The method of claim 16, wherein the transaction 
card user information further comprises at least one 
of a personal identification number, a password, a 
biometric sample, a digital signature, and a transac- 
tion card number for the transaction card user. 
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18 The method of claim 1, wherein generating the 
anonymous card number further comprises gener- 
ating the anonymous card number by a transaction 
card issuer. 

19 The method of claim 18, wherein generating the 
anonymous card number further comprises gener- 
ating the anonymous card number by a server of 
the transaction card issuer. 

20 The method of claim 19, wherein generating the 
anonymous card number further comprises gener- 
ating the anonymous card number by a number 
generator of the transaction card issuer's server. 

21 The method of claim 1, wherein generating the 
anonymous card number further comprises gener- 
ating the anonymous card number at a local com- 
puting device. 

22 The method of claim 21, wherein generating the 
anonymous card number further comprises gener- 
ating the anonymous card number by a number 
generating application on the local computing 
device. 

23 The method of claim 22, wherein generating the 
anonymous card number further comprises gener- 
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ating the anonymous card number by the number 
generating application on the local computing 
device synchronized with a number generator of a 
transaction card issuer. 

The method of claim 1, wherein generating the 
anonymous card number further comprises gener- 
ating the anonymous card number according to 
pre-defined parameters limiting use of the anony- 
mous card number exclusively to the transaction by 
the transaction card user. 

25 The method of claim 1, wherein generating the 
anonymous card number further comprises gener- 
ating the anonymous card number according to 
pre-defined parameters limiting use of the anony- 
mous card number to a predetermined time period. 
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32 The method of claim 31, wherein associating the 
anonymous card number further comprises linking 
the anonymous card number with the transaction 
card user's transaction card number by a server of 
a transaction card issuer. 

33. The method of claim 1, wherein authorizing the 
transaction further comprises authorizing the trans- 
action by a transaction card issuer. 

34 The method of claim 33, wherein authorizing the 
transaction further comprises authorizing the trans- 
action by an authorization processor of the transac- 
tion card issuer. 
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The method of claim 1, wherein generating the 
anonymous card number further comprises gener- 
ating the anonymous card number according to a 
pre-selected number generating scheme selected 
from a group of schemes consisting of a random 
number generating algorithm, a random sequence 
generator, and a secure-hashing algorithm. 

The method of claim 1. wherein associating the 
anonymous card number further comprises associ- 
ating the anonymous card number with the transac- 
tion card user's transaction card number by a 
transaction card issuer. 

The method of claim 27, wherein associating the 
anonymous card number further comprises associ- 
ating the anonymous card number with the transac- 
tion card user's transaction card number by a 
server of the transaction card issuer. 

29 The method of claim 28, wherein associating the 
anonymous card number further comprises linking 
the anonymous card number with the transaction 
card user's transaction card number by a number 
generator of the transaction card issuer's server. 

30 The method of claim 29, wherein associating the 
anonymous card number further comprises linking 
the anonymous card number with the transaction 
card user's transaction card number by an authori- 
zation processor of the transaction card issuer's 
server. 

31 The method of claim 1, wherein associating the 
anonymous card number further comprises linking 
the anonymous card number with the transaction 
card user's transaction card number according to a 
pre-defined sequence synchronization with a 
number generator of a local computing device. 



36. 



35. The method of claim 34, wherein authorizing the 
transaction further comprises receiving the anony- 
mous card number linked to the transaction card 
user's transaction card number. 

The method of claim 1, wherein authorizing the 
transaction further comprises sending the authori- 
zation with the anonymous card number to a mer- 
chant for the transaction card user. 

37. A system for performing a transaction by a transac- 
tion card user, comprising: 

means for authenticating the transaction card 

30 user; 

means for generating an anonymous card 
number for the transaction card user; 
means for associating the anonymous card 
number with a transaction card number of the 
35 transaction card user; and 

means for authorizing the transaction with the 
anonymous card number for the transaction 
card user, 

40 38 The system of claim 37, wherein the means for 
authenticating the transaction card user further 
comprises a server of a transaction card issuer. 

39. The system of claim 38, wherein the means for 
45 authenticating the transaction card user further 
comprises a computing device coupled to the trans- 
action card issuer's server for receiving transaction 
card user information. 

so 40 The system of claim 39, wherein the means for 
authenticating the transaction card user further 
comprises means of at least one of the computing 
device and the transaction card issuer's server for 
encrypting the transaction card user's information. 

41. The system of claim 40, further comprising the 
computing device coupled over a global network to 
the transaction card issuer's server. 
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42. The system of claim 41, wherein the computing 
device further comprises a personal computer. 

43. The system of claim 42, wherein the computing 
device further comprises an electronic wallet appli- 
cation of the personal computer. 

44. The system of claim 42, wherein the transaction 
card user's information further comprises at least 
one of a personal identification number, a pass- 
word, a biometric sample, a digital signature, and a 
transaction card number for the transaction card 
user. 

45. The system of claim 37, wherein the means for 
authenticating the transaction card user further 
comprises a local computing device. 

46. The system of claim 45, wherein the local comput- 
ing device further comprises one of a personal 
computer, a personal digital assistant, and a smart 
card. 

47. The system of claim 46, wherein the means for 
authenticating the transaction card user further 
comprises an application on the local computing 
device. 

48. The system of claim 47, wherein the means for 
authenticating the transaction card user further 
comprises an electronic wallet application of the 
local computing device. 

49. The system of claim 45, wherein the means for 
authenticating the transaction card user further 
comprises an input device of the local computing 
device for receiving transaction card user informa- 
tion by an application on the local computing 
device. 

50. The system of claim 49, wherein the transaction 
card user information further comprises at least one 
of a personal identification number, a password, a 
biometric sample, a digital signature, and a transac- 
tion card number for the transaction card user. 



51 . The system of claim 37, wherein the means for gen- 
erating the anonymous card number further com- 
prises a server of the transaction card issuer. 

52. The system of claim 51 , wherein the means for gen- 
erating the anonymous card number further com- 
prises a number generator of the transaction card 
issuer's server. 

53. The system of claim 37, wherein the means for gen- 
erating the anonymous card number further com- 
prises a local computing device. 



54. The system of claim 53, wherein the means for gen- 
erating the anonymous card number further com- 
prises a number generating application on the local 
computing device. 

5 

55. The system of claim 54, wherein the means for gen- 
erating the anonymous card number further com- 
prises the number generating application on the 
local computing device synchronized with a number 

10 generator of a transaction card issuer. 

56. The system of claim 37, wherein the means for gen- 
erating the anonymous card number further com- 
prises means for generating the anonymous card 

15 number with pre-defined parameters limiting user of 
the anonymous card number exclusively to the 
transaction for by transaction card user. 

57. The system of claim 37, wherein the means for gen- 
20 erating the anonymous card number further com- 
prises means for generating the anonymous card 
number with pre-defined parameters limiting use of 
the anonymous card number to a predetermined 
time period. 

25 

58. The system of claim 37, wherein the means for gen- 
erating the anonymous card number further com- 
prises means for generating the anonymous card 
number according to a pre-selected number gener- 

30 ating scheme selected from a group of schemes 
consisting of a random number generating algo- 
rithm, a random sequence generator, and a secure- 
hashing algorithm. 

35 59. The system of claim 37, wherein the means for 
associating the anonymous card number further 
comprises a server of a transaction card issuer. 

60. The system of claim 59, wherein the means for 
40 associating the anonymous card number further 

comprise a number generator of the transaction 
card issuer's server. 

61. The system of claim 60, wherein the means for 
45 associating the anonymous card number further 

comprises an authorization processor of the trans- 
action card issuer's server. 



62. The system of claim 37, wherein the means for 
so associating the anonymous card number further 

comprises a number generator of a server of a 
transaction card issuer in a pre-defined sequence 
synchronization with a number generator of a local 
computing device. 

55 

63. The system of claim 37, wherein the means for 
authorizing the transaction further comprises a 
server of the transaction card issuer. 
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64. The system of claim 63, wherein the means for 
authorizing the transaction further comprises an 
authorization processor of the transaction card 
issuer's server. 

5 

65. The system of claim 37, wherein the means for 
authorizing the transaction further comprises 
means for sending an authorization for the transac- 
tion with the anonymous card number to a mer- 
chant for the transaction card user. * 
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